The topic of end-user security training is always a fun one to bring up because of the wide array of opinions on its relative value. On one end you have the security admins who believe that not only does end-user training not help, it provides the end-users with knowledge and tools that can make the security situation worse on the network. On the end of the scale are those security admins who believe that the only way to really secure the network on the host level is to teach the users good security habits. Most of us lie between these two extremes.

While end user training will never be a panacea, a certain level of training and awareness of security issues on the end user’s part can make a big difference in terms of managing the number of worms, Trojans and viruses on your network. Users can be trained to not click on email attachments from unknown senders, be trained in how to examine URLs in links so that they can determine if there might be something amiss with the link, and how to check email headers in suspicious messages. True, not every end user is going to be interested and not all will take your advice, but if there are enough end users who are interested in good computer security practices, there is the potential for them to create a critical mass and group dynamics will then come into play to bring the stragglers up to speed.

The problem is that IT admins are computer admins, not trainers or teachers. If they wanted to be trainers or teachers, they would have gone into the training or teaching industries. There is also the time involved, as you need to develop training materials and prepare presentations. The truth is that you really don’t need to do all that much work. Just 15 minutes a week preparing an email or flyer or poster can go a long way at teaching your employees better network security practices.

If you’re interested in employee training and wondering how to get started, check out this article http://www.microsoft.com/midsizebusiness/network-s...t.mspx  The author brings up a number of using ideas that you can put into practice immediately.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Many claim that there is no longer a network perimeter. Historically, the Internet access gateway was seen as the perimeter of the network and if you hardened that perimeter well enough, you would be safe from unauthorized access to your network. Most network security administrators realize that this is no longer the case, and that Internet edge protection is just one of many different perimeters that need to be monitored and managed.

One perimeter that doesn’t get the attention it deserves is the hardware perimeter. Back in the day, the hardware perimeter was the floppy disk. A person could put a compromised floppy disk into a computer and inject it with a virus, worm or Trojan. They could also copy information from the computer or from the network to the floppy disk.

However, the risk of major data loss or compromise through the floppy disk was limited because the disk didn’t have much carrying capacity. Floppy disks are all but gone these days and they have been replaced by USB keys and USB removable drives. USB keys keep getting bigger and it’s not unusual to see people walking around with 4 GB+ USB keys on their keychains. USB drives are in the terabyte range now. If an unauthorized person is able to connect one of these keys or drives to your computer, they could download entire corporate databases and file servers.

USB keys and USB drives are also able to carry viruses, Trojans and worms. Also, because of their high capacity, they can carry large databases, such as rainbow tables, that can be used to compromise passwords on the network. These USB devices, because of their carrying capacity, therefore increase by many orders of magnitudes the risk that removable devices present to your network at the hardware perimeter.

Windows Server 2008 Group Policy can help you solve this problem. There is a setting in the:

Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions

section of Group Policy that allows you to prevent installation of removable devices.

The description of this setting from the policy goes like this:

———————————————————–

Prevent installation of removable devices

Prevents removable devices from being installed.

If you enable this setting, removable devices may not be installed, and existing removable devices cannot have their drivers updated.

If you disable or do not configure this setting, removable devices can be installed and existing removable devices can be updated as permitted by other policy settings for device installation.

NOTE: This policy setting takes precedence over any other policy settings that allow a device to be installed. If this policy setting prevents a device from being installed, the device cannot be installed or updated, even if it matches another policy setting that would allow installation of that device.

For this policy, a device is considered to be removable when the drivers for the device to which it is connected indicate that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected.

If this computer is a Terminal Server, then enabling this policy also affects redirection of the specified devices from a Terminal Services Client to this computer.

———————————————————–

I highly recommend that you consider upgrading to Windows Server 2008 for this and other Group Policy enhancements. Don’t let the USB hole be your undoing. Is the second most important hole you need to close on your network, with the SSL security hole being the most dangerous at this time. You can close the SSL security hole using an ISA Firewall together with Collective Software’s (www.collectivesoftware.com) ClearTunnel.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

As just about everyone knows, mobile devices are the fastest growing type of device connecting to your network today. This is a very delicate situation, because while remote access from conventional computers has been a standard for a number of years, mobile devices are relatively new and many of them are not designed with security in mind. For example, the vast majority of mobile devices do not run anti-malware applications and there is very little documentation on how to secure each type of mobile device.

Management is another major problem with mobile devices. While its a simple affair to manage and monitor remote laptops, such centralized management of mobile devices is not so easy. Centralized configuration of these devices would go a long way at helping secure your network environment and the data contained on the mobile devices themselves.

Having recognized this problem, I was pleasantly surprised to see the Microsoft is coming out with a new product: Microsoft System Center Mobile Device Manager 2008. I didn’t think it was possible to come out with any more members of the System Center family, but this new product looks like it will be exceptionally useful for the Microsoft admin who needs to deal with the onslaught of hand held computing devices connecting to their networks today.

For more information about MS System Center Mobile Device Manager 2008, check out:

http://www.microsoft.com/windowsmobile/mobiledevic...t.mspx

http://www.microsoft.com/systemcenter/mobile/defau...t.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

As a network professional, how often do you find yourself being called at any time of day to help friends and family with computer problems? How many of those problems could have been prevented by those friends and family having implemented basic security best practices? How much more sleep would you get if they did use some basic security in their everyday computing life?

If this sounds familiar to you, then you might want to check out Deb Shinder’s article on the www.microsoft.com Web site on how to act as the de facto security officer for you friends and family. Find the article at:

http://www.microsoft.com/technet/community/columns...t.mspx

For another take on the issue, check out Steve Riley’s article over at:

http://www.microsoft.com/technet/community/columns...8.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

From the introduction of the Windows Server 2008 Security Guide:

IT security is everybody’s business. Every day, adversaries are attempting to invade your networks and access your servers to bring them down, infect them with viruses, or steal information about your customers or employees. Attacks come from all directions: from onsite employee visits to Web sites infected with malware, to offsite employee connections through virtual private networks (VPNs), branch office network connections to corporate servers, or direct assaults on vulnerable computers or servers in your network. Organizations of all sizes now also face more complex and demanding audit requirements.

You know firsthand how essential your servers are to keeping your organization up and running. The data they house and the services they provide are your organization’s lifeblood. It is your job to stand guard over these essential assets, prevent them from going down or falling victim to attacks from outside and inside your organization, and to prove to auditors that you have taken all reasonable steps to secure your servers.

Windows Server 2008 is engineered from the ground up with security in mind, delivering an array of new and improved security technologies and features that provide a solid foundation for running and building your business. The Windows Server 2008 Security Guide is designed to further enhance the security of the servers in your organization by taking full advantage of the security features and options in Windows Server 2008.

This guide builds on the Windows Server 2003 Security Guide, which provides specific recommendations about how to harden servers running Windows Server 2003 with Service Pack 2 (SP2). The Windows Server 2008 Security Guide provides recommendations to harden servers that use security baselines for the following two environments:

• Enterprise Client (EC). Servers in this environment are located in a domain that uses AD DS and communicate with other servers running Windows Server 2008 or Windows Server 2003 SP2 or later. The client computers in this environment include a mixture: some run Windows Vista® whereas others run Windows XP with SP2 or later. For information about the baseline security settings that this environment uses, see “Appendix A: Security Group Policy Settings.”
• Specialized Security – Limited Functionality (SSLF). Concern for security in this environment is so great that a significant loss of functionality and manageability is acceptable. For example, military and intelligence agency computers operate in this type of environment. The servers in this environment run only Windows Server 2008. For information about the SSLF settings that this environment uses, see “Appendix A: Security Group Policy Settings

Check out the complete guide at:

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Small businesses have it rough. They usually depend on a single network admin who has to manage all the clients and servers on the network. The same admin might have to work with multiple, complex servers, such as Microsoft Exchange, Microsoft SQL and Microsoft SharePoint Services. Then there’s putting out all the fires that come up day to day with various line of business applications and fixing computers with broken hardware or user-initiated software issues. Finally, that overworked admin also has to deal with one of the most complex aspects of computer network management: security.

Well, for all you small business computer guys, here’s a little test for you to take to see how you’re doing with your security knowledge. While not at all comprehensive, it’s a nice way to pass the time:

http://www.microsoft.com/smallbusiness/support/qui...s.mspx

If you don’t get all the answers right, no problem. The test is just for fun, but you should take a chance to learn something from it. If you’re running a small business network, here’s a short security checklist that can get you started:

http://www.microsoft.com/smallbusiness/support/che...t.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

You might have read about a possible BitLocker security hole that would allow a malicious user access to information secured on a BitLocker encrypted volume. If not, check out this story:

http://www.securityfocus.com/brief/686

The problem with this supposed security hole is that the following assumptions must be made about the system being protected by BitLocker:

• The user hasn’t configured a log on PIN for BitLocker
• The user hasn’t configured a USB key to be used to with BitLocker log in
• The user hasn’t configured both a USB and a PIN to be used with BitLocker log in (this is supported by Windows Server 2008 and Vista SP1)
• The attacker has physical access to the machine (obviously)
• The user’s computer is in Sleep mode, not in Hibernation mode
• The attacker has a laptop, compressed air, and special tools on hand to quickly access the information contain in RAM

That is a lot of assumptions, which makes it unlikely that the attack would actually be implementable in the real world extremely unlikely. However, there is always the risk of a specifically targeted attack, where the attacker knows the victim with the computer he wants to steal, and carefully sets up the scenario in advance so that all the conditions required to compromise the BitLocker protected volume are in place. In such a targeted attack, it’s more likely that the BitLocker exploit can be executed.

However, you as a network admin have the power to completely foil such an attack. How? By configuring Group Policy in a way that forces users to use log on authentication in the form of PIN or USB key. In addition, you can configure Group Policy or use scripts to insure that Sleep Mode is disabled and that users always enter Hibernation Mode when they close the computer.

Using these simple methods, you completely obviate the risk of the exploit described for retrieving key material from RAM and make it impossible for them to use this exploit to compromise BitLocker protected volumes.

For more information about best practices for protecting BitLocker encrypted volumes and managing fleets of BitLocker enabled computer, check out the Microsoft Data Encryption Toolkit at:

http://www.microsoft.com/technet/security/guidance...8.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

As you know from reading this blog on a regular basis, BitLocker is a volume encryption application included with Windows Vista and Windows Server 2008. With Windows Vista SP1, you’ll be able to encrypt both the Windows boot volume and any data volume. Without SP1, Vista machines can only encrypt the Windows boot volume. Windows Server 2008 can use BitLocker to encrypt both the Windows boot volume and any data volumes.

A number of keys and passwords are used to help ensure the security of the BitLocker volume. The TPM chip used on BitLocker enabled machines enables the system to check the integrity of boot files and components to make sure they haven’t been tampered with. You can use BitLocker using only a TPM without having to enter a PIN or USB key. However, for better security, you should use a TPM to insure the integrity of the boot components and a PIN or USB key to ensure that only authorized users are allowed to access the information on the encrypted volume.

When you use a TPM together with a log on PIN, the TPM will check the status of the boot components, and if the check shows no tampering, then you can enter a PIN that you created when you enabled BitLocker on the volume. The system will boot and access the encrypted volume after entering the correct PIN. For even greater security, instead of a PIN, you can require that the user plug in a USB key that contains the decryption key for the encrypted volumes.

When users enable BitLocker on their computers, they also have the option to to create recovery keys. These recovery keys can be used to access the system in the event that the USB or PIN is lost or otherwise not available. The recovery password is a 48 digit string that can be used to recover the BitLocker protected volume. You can also create a key package that is used together with the recovery password that will enable you to decrypt portions of a BitLocker protected volume if the disk is severely damaged. Other information that you can backup is the TPM owner password hash. When ownership of the TPM is taken a hash of the ownership password can be taken; this information can be used to reset ownership of the TPM.

As you can see, there is a lot of information you need to backup to make sure that users aren’t locked out of their computers. Users should be instructed on how to create a recovery package using a USB key, and keep a copy of their recovery password in a safe place, but a place that is accessible in the event that they need to use it.

On an enterprise basis, you should create a policy for backing up this important information. This is a policy that I recommend:

• Always require backup of recovery passwords to AD DS.
• Always require backup of key package data to AD DS.
• Always require backup of TPM owner information to AD DS.
• Use recovery keys along with recovery passwords as a backup or alternate recovery method.
• If you are using TPM + PIN or USB startup keys, change them regularly.
• On TPM-enabled computers, use a BIOS administrator password to prohibit unauthorized access to TPM administrative functions.
• Educate users that they should not store key material such as USB startup keys with the system that such material unlocks.
• If you use recovery keys, store them in a central location for purposes of support and disaster recovery.
• Back up recovery material to secure offline storage for long-term recoverability.

Using such a policy, you won’t get stuck with encrypted data that you will never be able to access again. Another recommendation is that you ensure that users always back up important data to a location off the BitLocker encrypted volume. This should be to an encrypted DVD, tape, or remote file share (encrypted or unencrypted) it doesn’t matter.

For more information on enabling backup of key and password information to the AD, check out:

http://technet2.microsoft.com/windowsserver2008/en...r=true

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

The Encrypting File System (EFS) uses the private key on the user’s EFS certificate to encrypt files on disk. You can find this user certificate in the Certificates MMC snap-in and the certificate will have listed as its usage File Encryption. This certificate is extremely valuable to you, since if you lose the private key included in the certificate, you won’t be able to decrypt the files that you have encrypted on your hard disk.

Well, that’s not completely true. There is something called the EFS Recovery Agent. If you are running your computers in a Windows domain, then the default Recovery Agent will be the Administrator account on the first domain controller you installed in your Windows domain. You can use the private key included in the Recovery Agent’s certificate to decrypt files that other users in the domain have encrypted. This allows the Recovery Agent to take ownership of the files and then use the Recovery Agent key to decrypt the files for the user in the event that the user loses his EFS certificate with his private key.

To keep safe, the user should back up his own EFS certificate and put it in a safe place that he can access in the event that the EFS certificate is lost or corrupted. The user can use the Certificates MMC to copy the certificate to an encrypted USB key. Then, if something bad happens to the certificate, the user can import the EFS certificate back to his computer and access his encrypted data.

In a similar fashion, you should back up the EFS Recovery Agent certificates in your domain. You can use the default Recovery Agent, or you can remove the default Recovery Agent and add another user as a domain Recovery Agent, Regardless of your choice of Recovery Agents, you should back up the Recovery Agent’s private key and certificate and put it in a safe place. I recommend that you copy the key to a safe place on site and lock it away, and also maintain another copy off-site in the event that your site is destroyed by fire or other horrible event.

Also, once you copy the Recovery Agent’s private key to at least two safe places, one on site and one off site, remove the Recovery Agent’s certificate from the machine. This makes sure that you are secure in the event that the machine containing the Recovery Agent’s key is stolen.

Also, for domain admins, you do have the option to automatically archive EFS keys in your enterprise certificate server environment. There are instructions on the www.microsoft.com Web site on how to automatically archive EFS keys so that you can recover user EFS keys without having to resort to using the Recovery Agent keys.

For more information about EFS, check out:

http://technet.microsoft.com/en-us/library/bb457065.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)